hipaa privacy rule implementation status report richard m. campanelli, j.d. director, office for...
DESCRIPTION
3 Entities Most Complained Against (as of 3/31/2005) Private Practices General Hospitals Pharmacies Outpatient Facilities Group Health PlansTRANSCRIPT
HIPAA Privacy Rule Implementation Status
ReportRichard M. Campanelli, J.D.
Director, Office for Civil RightsBefore the
The Tenth National HIPAA SummitApril 8, 2005
2
Status of Complaints (Through March 31, 2005)
11,920 logged in nationally, 65% already closed
Most common closure reasons:– Non-jurisdictional (Not Covered Entity or
Violation alleged predated 4/14/2003)– Allegation not prohibited by the Privacy Rule– Matter was resolved through voluntary
compliance and technical assistance
3
Entities Most Complained Against (as of 3/31/2005)
Private Practices General Hospitals Pharmacies Outpatient Facilities Group Health Plans
4
Common Allegations (through March 31, 2005)
Impermissible Uses/Disclosures Inadequate safeguards Access to records denied or charged
excessive fees Failure to adhere to minimum necessary
procedures Failure to obtain a valid authorization
where one is required
5
Disclosing PHI in Litigation
Permitted uses/disclosures of PHI for litigation include, for example:– Required by law (e.g., court-ordered)– Payment (e.g., collection action)– With individual’s authorization– §164.512(e)—judicial and
administrative proceedings– For covered entity’s (CE) health
care operations
6
Disclosing PHI in Litigation
Whether litigation uses and disclosures fall under §164.512(e) or health care operations (hco) depends on whether the covered entity is a party to the proceeding- CE non-party: §164.512(e)- CE party: health care operations
7
Disclosing PHI in Litigation: CE as Non-Party
When CE is a non-party, it may disclose PHI for judicial or administrative proceedings if in response to:– Order of a court or administrative tribunal– Subpoena, discovery request, or other
lawful process, on satisfactory assurance of notice or qualified protective order
8
Satisfactory Assurances: Non-Party CE Disclosures
Documentation that notice was provided to the individual’s lawyer is sufficient
Copy of subpoena/other request may be sufficient if on its face it shows– Adequate notice was provided
• Sufficient detail to allow objections– Time for objections lapsed without
objection, or all objections resolved
9
Disclosing PHI in Litigation: CE as a Party
When CE is a party to the proceeding, it may use or disclose PHI for litigation as part of its health care operations
10
Disclosing PHI in Litigation
Minimum necessary applies– CE may reasonably rely on lawyer’s
minimum necessary representation when sharing information with lawyer who is workforce or business associate
– Lawyer, as workforce or business associate, must apply minimum necessary to its disclosures
11
Lawyers and Minimum Necessary
When lawyer discloses minimum necessary PHI, depending on context, it may mean something more than mere relevance, e.g.,– De-identification– Stripping direct identifiers– Removing certain health or treatment
information not pertinent to issue raised in litigation
12
Lawyer/BAs and their Agents
BA contract requires BA/lawyers to ensure that their agents or subcontractors protect privacy, just as the lawyer must. – Includes 3rd parties that further lawyer’s legal
services to CE, e.g., other legal counsel, jury consultants, file managers, investigators, litigation support personnel
– Does not include opposing counsel, fact witness, others not assisting lawyer in providing legal services to client
13
Using and Disclosing PHI to an Interpreter
When interpreter is
- Workforce member of CEor
- BA of CE
No authorization of the individual is required
14
Interpreter Identified by Individual
When interpreter is identified by individual as involved in care, CE may
- Ascertain that individual agrees or does not object to disclosure to interpreter
or- Exercising professional judgment, reasonably infer from the circumstances
that individual does not object to disclosure to interpreter
15
Application in Provider Setting
No employee, volunteer or contractor is available to competently interpret for an individual
- Provider identifies and contacts a telephone interpreter service
- Interpreter explains to patient that interpreter is available to assist
From context, provider may judge whether individual wants this assistance (§164.510(b))
Provider may then reasonably infer that individual does not object to disclosure of PHI to interpreter
16
Title VI of Civil Rights Act of 1964
Covered entities may also have obligations under Title VI of the Civil Rights Act of 1964 to take reasonable steps to provide meaningful access to LEP persons
Consult OCR’s guidance on Title VI obligations to LEP persons for important discussion of other considerations in providing language services